Slack's security worries some CEOs, who say that employees 'never shut up' on the app

CEOs tell CNBC they are growing more concerned about how much information their employees share on Slack, and whether they have the right controls in place to deal with it.

According to Verizon's annual data breach report, about a quarter of corporate breaches are related to insiders.

Slack has tools to control information flow, but a lot of Slack installations come from the "bottom up," without IT involvement.

Stewart Butterfield, co-founder and chief executive officer of Slack Technologies Inc. at South By Southwest (SXSW) Interactive Festival on Tuesday, March 15, 2016.

David Paul Morris | Bloomberg | Getty Images

Slack recently entered a quiet period ahead of its public market debut, which is expected later this year. Meanwhile, many corporate executives would like a little more quietness on the Slack messaging app, where employees are prone to saying way too much.

More than 10 million people use Slack every day, mostly to communicate with co-workers. The app has gained so much popularity in the five-plus years since its launch that private investors value the company at over $7 billion.

But executives who spoke with CNBC about employee use of the app fear that the freely exchanged — and often sensitive — information could easily find its way into more public forums.

"I love my people, but they never shut up on Slack," said the CEO of a security company who asked not to be named so he could speak openly about his concerns. "It's very good for productivity, but the problem is we're working on security, so we have to be careful about what we say."

Employees communicate on Slack using "channels" to focus conversations on various topics specific to different departments. It followed corporate chat tools from Microsoft, Google and Cisco as well as a plethora of start-ups, but none gained Slack's level of adoption or had so much success in pulling workers away from email and into messaging groups.

Among executives who spoke with CNBC, a common theme emerged. They're worried about keeping tabs on fast-moving conversations that could harm the company's reputation should they ever be made public. Executives also said they're concerned about controlling the number of people who can access channels containing confidential and proprietary information.

David Politis, CEO of cloud security vendor BetterCloud, said that in a recent survey conducted by his company, 75 percent of technology security professionals said emerging threats from cloud-based email and collaboration tools like Slack are top of mind. According to Verizon's annual data breach report, about a quarter of corporate breaches are related to insiders, who have much more access to information than in the past thanks to cloud collaboration tools like Slack, Dropbox and Google's G Suite.

If companies aren't diligent about controlling how accounts are created and controlled, these cloud services can remain accessible to people long after they've left the company, perhaps for a competitor.

Slack has tools to help — as long as customers know to use them

Slack offers tools to address these risks, giving administrators ways to limit and control access to the channels they manage.

For instance, administrators have long been able to create private channels which are only accessible to employees who are specifically invited. They also have the ability to revoke access when an employee leaves or is reassigned.

In March, Slack introduced a feature called "enterprise key management," which adds a layer of security by letting administrators see exactly who's sharing what in the app, and revoke access at a very granular level. Administrators can block specific users from accessing certain channels during certain times of day, for example.

Slack also supports data loss prevention tools from companies including Cisco, McAfee, Netskope, Palo Alto Networks and Symantec, designed mostly to protect information from leaking to outsiders, according to a company spokesperson.

It also works with third-party e-discovery tools, which allow customers to have searchable access to the data being quickly exchanged back and forth over Slack, since many organizations have legal and regulatory obligations to keep track of this information. Slack partners with e-discovery companies including Bloomberg Vault, Global Relay, Onna and Smarsh, the spokesperson said.

Even so, all of these tools only work if companies use them. In many organizations, cloud-based tools like Slack enter from the "bottom up," meaning that normal employees start using them for work productivity without drawing IT into the loop. As a result, the people administering Slack channels may have no idea that these tools are available or know how to use them — they may not even be aware of the risks.

And even with all these tools, there's little to stop an employee from leaking a sensitive conversation, according to the security company CEO mentioned earlier. That's where his company does its own training.

"We continually try to explain the importance of knowing what is appropriate to talk about on the channel and what you should reserve for more secure methods or even just for your coffee break," the executive said.